Cryptojacking – More than a Nuisance, It Poses a Serious Threat to Data Centers

Cryptocurrency was among the biggest stories of 2017 when Bitcoin peaked at more than $19,000 per unit. While already popular among cybercriminal groups, especially when deploying ransomware, Bitcoin found new success in mass adoption among consumers. This catalyst was enough for cybercriminals to develop new methods to mine alternate cryptocurrencies, such as Monero, in hopes that they would become equally popular and profitable.

CoinHive – the JavaScript-based mining client that allows browsers to be used to mine cryptocurrency - is the perfect example of distributed mining using commodity CPUs – instead of GPUs – that requires no on-device client since mining takes place within the browser. Presented as JavaScript, it maintains cryptomining capabilities, while being easier to deploy, easier to weaponize, less intrusive from a security perspective, and completely legitimate if used with express permission of the web visitors.

Seemingly the Holy Grail for website owners seeking to beef up revenue and not just rely on ads, browser-based cryptomining was quickly used by threat actors to hijack computing power from victims who visited legitimate websites hosting maliciously inserted cryptomining script.

From Nuisance to Threat

At first the average user was mostly exposed to cryptojacking, when visiting an infected webpage that throttled CPU performance up to 100 percent to mine for cryptocurrency. Threat actors quickly became aware of a serious limitation that would ultimately hinder their ability to quickly generate money. While using the CPU for mining does give them access to a wider pool of potential victims, mining would become increasingly more difficult over time as they would need more and more computing power.

Consequently, turning to organizations and businesses with large data centers and infrastructures that could scale up the mining process was the next logical step for enterprising criminals. Speeding up CPU cycles heavily impacts consolidation ratios and virtualization density in data centers, but threat actors have learned to adjust resource consumption so as not to trigger alarms. Instead of 100 percent CPU consumption, they would cap it at 70 or 80 percent. Consequently, a successful cryptojacking campaign within a data center or infrastructure with automatic provisioning could remain undetected for months, potentially generating millions of dollars’ worth of crypto currency.

If getting users to mine crypto currency was just a matter of sometimes exploiting trivial XSS or unpatched vulnerabilities in popular CMS platforms, going for data centers involves advanced techniques usually associated with advanced persistent threats. Criminals are using everything from known military-grade vulnerabilities, such as EternalBlue, to fileless malware to breach data center security and deploy deceptively benign cryptojackers to steal compute power.

Sophisticated attack techniques traditionally used to drop malware payloads for data theft and exfiltration or covert surveillance tools are now used to drop cryptojackers. The fact that threat actors can manage to breach such a heavily fortified infrastructure just to deploy coin mining software is actually a serious security threat. While the payload appears benign, threat actors could have already exfiltrated data or deployed other tools, only to leave behind a crypto miner to generate extra revenue on the side.

While cryptojacking itself may not constitute a direct malicious attack, discovering such an operation within an infrastructure or data center can reveal a security blind spot that was actively exploited by threat actors. This should be of immediate concern, as the same security vulnerability could have already been used to deploy other malicious payloads aimed at cyberespionage or critical data extraction.

Impact on Data Centers

Data centers are where technology and performance meet to deliver better business scalability and low operating costs. Cryptojacking can threaten all this by throwing off performance and even increasing costs for businesses, especially those using an IaaS provider. Automated provisioning is the Achilles heel of data centers facing cryptojackers, as the threat leverages this performance optimization feature to scale its own mining operation.

For example, highly virtualized infrastructures that use VDIs or containerization tools may be altered to deploy crypto mining software whenever new instances are provisioned. If there’s no baseline performance metering for new and untampered instances, companies will have a hard time identifying a cryptomining operation hiding in their infrastructure, except though an increased monthly bill from their IaaS provider.

Securing the Data Center from Cryptojacking

Because cryptojacking attacks leverage the same advanced techniques that threat actors have used when deploying cyberespionage tools – such as fileless attacks and known or unknown vulnerabilities – securing data centers and virtual infrastructures against this new threat requires the same multi-layered security approach one would deploy to prevent, detect, and block advanced and persistent threats.

Detecting file-based and fileless cryptojackers requires layered next-generation security that can block it during various stages of the attack lifecycle, both within the data center and on endpoints. Even memory protection technologies that can identify memory manipulation techniques associated with the exploitation of known or unknown vulnerabilities can help prevent cryptojacking samples from being dropped within the virtual workload.

Pre-execution security technologies that can detonate scripts (e.g. PowerShell, cmd and wscript) coupled with core antimalware technologies, can effectively detect and not just block the cryptojacking payload, but also prevent the attack from occurring by deploying security layers capable of breaking the attack kill chain at various stages.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.